On Feb 1, 2006, at 5:41 , Leroy Tennison wrote:
I know about integrated login but is it possible to create a Linux
and/or Windows configuration where OpenAFS is the only
"authenticator" meaning that there is no need for IDs/passwords in
local files or another authentication service like NIS, LDAP,
Samba, AD, etc? If so, can you point me to information on how to
do it? Maybe I'm just not thinking clearly but nothing is coming
to mind. Thanks for any input.
Not really.
1. For Windows to get all the extra permissions it hides in its
Kerberos 5 tickets, you need to use AD (or possibly recent Samba).
2. AFS can provide passwords via some form of Kerberos, and in theory
you could get user IDs via an nsswitch module that queried pts; but
there's no way to get home directories, Unix groups (which are very
different from AFS groups), shells, etc.
3. Unless all your Unix systems are completely homogeneous (i.e. not
even different releases of the same vendor's OS), you'll find that
every system has different uids and gids for system accounts and you
can't safely change them around to fit pts's ideas.
3a. AFS admin (almost always pts id 1) would be a very bad thing to
map to Unix uid 1.
4. If you ever need to work on a Unix machine in single-user mode
without network, you will need local accounts for at minimum root and
the system accounts.
I think the best you could do right now is using AD for Kerberos+LDAP
with a Unix schema added; but pts needs to remain separate, although
I think someone may be poking at LDAP-backed pts.
--
brandon s. allbery [linux,solaris,freebsd,perl]
[EMAIL PROTECTED]
system administrator [openafs,heimdal,too many hats]
[EMAIL PROTECTED]
electrical and computer engineering, carnegie mellon university
KF8NH
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
